FaceTime for Mac Beta Opens Up Security Hole to Allow for Compromised Apple IDs

[krzyglue]

I think the security point that shouldn't be ignored is this:

A software should NEVER permit anyone to change the password without first typing in the OLD password as confirmation. This is why web services ALWAYS ask you to confirm your OLD password before changing your password even though you're already logged in.

Even if I were to have physical access to your computer, I shouldn't be able to change that Apple ID password without confirming your old password, period. That's a security oversight and should be fixed. Arguing physical access is required is moot, since this is a fundamental decision flaw in security.

An interesting point. Because it is beta, I am more inclined to essentially "not blame" them for this. On the other hand, I cannot think of a single service out there that doesn't require a re-entry of the password to change it, even if already logged in. Period.

 

[RodThePlod]

...but I took your post as it saying that it's Apple's responsibility to not show the user's information on the Facetime software. They could fix the software not to show it but I just think the user should be aware of their surroundings rather than expect the developer to protect them. Sorry if I misunderstood your post.

No probs - we agree on both points so it's cool

It's absolutely the user's resposibility to exersise best practices whenever dealing with their own personal information. I work in the PC security area and know this only too well. In addition, though, it's also up to the software architects and developers to ensure that they have taken reasonable steps to minimize the potential for unintentional disclosue of private information in their product.

In this example, I think it was probably a case of lax programming which made the Beta ship like this. It's something that shouldn't have happened, but as we've said many times in this thread - it's a beta. And beta products, by their very nature, will always contain 'WTF' bugs, howlers, and issues which (mostly) all get resolved by the time the finished product ships.

The good news is that multiple bug reports were made yesterday and Apple were able to easily fix this in the back-end

 

[dbendixen]

Clearly this would be a user-created security threat--why are you giving physical access to your computer to someone who would even want to steal your iTunes credentials?

 

[leonstafford]

meh, security. Good luck them trying to do anything with my MB after Facetime runs. When caller switches from front cam to back cam, the Quartz 3D rotation thing freezes up my Mac. get sound still from caller but everything else frozen, can't force quit, only hard reset. Releasing ****** betas is something M$ does, Apple tests stuff super thoroughly in house, they don't need to release not quite ready apps... cheapens the name

 

[MacKeeper-fan]

iTunes, iPhone, iPod Touch, iPad, iChat, Adium, Mail, Safari, Firefox, etc. all have the same option: you can view your account, change passwords, etc. I’ve tried it in FaceTime, the option is there but it does nothing, it switches back to the previous view (it doesn’t display my account details). Being logged into any service/application on your machine opposes a security risk for anyone that has physical access to it. This is hardly a FaceTime security issue, it’s a general issue. It is the main reason why one should use a password on one’s computer and lock the machine when leaving. Logging out of the application/service also helps. The only problem in this case would be the fact FaceTime keeps remembering the password. Something Hotmail does as well if you opt for it.

 

[frankly]

iTunes, iPhone, iPod Touch, iPad, iChat, Adium, Mail, Safari, Firefox, etc. all have the same option: you can view your account, change passwords, etc. I’ve tried it in FaceTime, the option is there but it does nothing, it switches back to the previous view (it doesn’t display my account details). Being logged into any service/application on your machine opposes a security risk for anyone that has physical access to it. This is hardly a FaceTime security issue, it’s a general issue. It is the main reason why one should use a password on one’s computer and lock the machine when leaving. Logging out of the application/service also helps. The only problem in this case would be the fact FaceTime keeps remembering the password. Something Hotmail does as well if you opt for it.

You should go back and read the beginning of this thread. There is a HUGE difference in being able to access your account information AFTER you enter the password and being able to access information that would allow you to actually change the password without having entered it in the first place.

In iTunes, iPhoto, etc. if you click on the account you are REQUIRED to enter the password at that time.

In FaceTime before it was fixed it KEPT you logged in and would allow ANYONE with access to your machine to gain personal information tied to your account that could give them the ability to then gain access to your account.